• You are not logged in.

    Passphrase.Life has a Colemak Virtual Keyboard

    • Started by wmcmeans
    • 14 Replies:
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7

    The online password analysis tool, Passphrase.Life, implements 8 alternate keyboard layouts, including Colemak. Not only can you securely check your online credentials, now you can do so using your favorite alternate keyboard mapping.

    Offline
    • 0
    • Reputation: 83
    • From: Oslo, Norway
    • Registered: 13-Dec-2006
    • Posts: 4,439

    Probably not, unless it includes Colemak-ⲔⲰ[eD]! :-p

    *** Learn Colemak in 2–5 steps with Tarmak! ***
    *** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***

    Online
    • 1
    • Reputation: 10
    • Registered: 06-Jun-2013
    • Posts: 483

    on subject of passwords, it is possible to judiciously choose them to be the same on both qwerty and Colemak-ⲔⲰ[eD]

    can be useful... I use just such a password for the LUKS full disk encryption on my laptop - just in case..

    Offline
    • 0
    • Reputation: 83
    • From: Oslo, Norway
    • Registered: 13-Dec-2006
    • Posts: 4,439

    Just don't tell anyone you did that, as they'll be easier to brute-force then... oops... ^_^

    *** Learn Colemak in 2–5 steps with Tarmak! ***
    *** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***

    Online
    • 0
    • Reputation: 47
    • From: UK
    • Registered: 14-Apr-2014
    • Posts: 622

    That tool seems overly pessimistic. Even something like the suggestion in the famous xkcd cartoon fails, supposedly crackable within 19 seconds.

    Last edited by stevep99 (09-Jul-2018 10:12:51)

    Using Colemak Mod-DH with some additional ergonomic keyboard mods.

    Offline
    • 1
    • Reputation: 12
    • Registered: 01-Apr-2018
    • Posts: 113

    ... Why would anyone type a passphrase into a live website that doesn't let you save it locally and unplug your ethernet connection, then delete all the files completely, and clear your browser cache and history?

    EDIT: My bad, didn't save it properly. Still a pretty terrible metric for this kind of thing. :P I have used algorithms that tell me some of my passwords will be cracked by the time of the heat death of the universe, but this seems to say that anything less than 64 characters (which many sites won't accept) is useless and cracked in seconds.

    For the benefit of those who may not be aware of best security practices, NEVER enter a password you intend to use into a live website. Some would argue that the workaround I described is insufficient for total security, and they're right.

    Last edited by azuvix (04-Jul-2018 18:46:44)
    Offline
    • 1
    • Reputation: 83
    • From: Oslo, Norway
    • Registered: 13-Dec-2006
    • Posts: 4,439

    *Universe is in its death throes. Entropy everywhere, enthalpy hard to come by.*
    ...
    "Ha! Finally we have the devious passwords of that fiend Azuvix cracked! Now, to..."
    ...
    *Universe fizzles out. Acta est fabula, plaudite.*

    Last edited by DreymaR (04-Jul-2018 20:09:32)

    *** Learn Colemak in 2–5 steps with Tarmak! ***
    *** Check out my Big Bag of Keyboard Tricks for Win/Linux/TMK... ***

    Online
    • 0
    • Reputation: 12
    • Registered: 01-Apr-2018
    • Posts: 113

    One has to wonder what I'll leave behind that could possibly be so important that it diverts attention from the impending doom of everything. ;)

    Offline
    • 0
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7
    DreymaR said:

    Probably not, unless it includes Colemak-ⲔⲰ[eD]! :-p

    Please forgive my ignorance--I didn't realize there was a popular mod to the layout. I'll add that to the analyzer. Thank you!

    Offline
    • 0
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7
    stevep99 said:

    That tool seems overly pessimistic. Even something like the suggestion in famous xkcd cartoon fails, supposedly crackable within 19 seconds.

    Overly pessimistic? Indeed it is (by default)! But you can always adjust the Uncertainty settings to reflect your own What-If scenario, using Verbose Mode. :-)

    The only useful metric for measuring password/passphrase strength is entropy, which is the chaos or uncertainty it contains. Length may increase entropy (or may not). Complexity may increase entropy (or may not). Patterns in the credential will always dilute entropy, and make the passphrase weaker.

    Entropy primarily results from how a password was created, not from what it contains--that's a close second. You mentioned Munroe's famous cartoon, so let's start with that.

    Before he wrote the comic, if you used "correct horse battery staple" to secure your online accounts, you could expect the account to last about 13 months in an offline attack (full database breach), not 19 seconds. To see this in the analyzer, just ignore Patterns. (Yes, for those who know, I'm ignoring how the passphrase may be hashed to keep the conversation simple. But frankly, you probably don't know for certain what hash was used on your account anyway, if any.)

    But that was then and this is now. Randall's phrase has gone viral, and everybody knows about it. That's why it's no good to use, and that's why Passphrase.Life gives it about 19 seconds to live (generous really, considering the speed of current GPU cracking rigs, advances in hashcat pattern attacks, and the overall forward march of technology).

    Overlooking the fact his comic contains 4 simple dictionary words (patterns), easily targeted by hashcat password cracking utlities today, it has only 44 bits of entropy by his measurement. A Sagitta Brutalis rig, burning through an average 350,000,000,000 passwords per second, would kill 44 bits of entropy in 25 seconds! And that's low-end hardware; not a supercomputer, not AWS and not nation-state actors.

    Recall that his comic has an attacker using a rate of 1000 guesses a second, not 350 billion! It makes all the difference in the world.

    Bottom line: Passphrase.Life isn't as far off the mark as it may seem.

    Offline
    • 1
    • Reputation: 12
    • Registered: 01-Apr-2018
    • Posts: 113

    Excellent overview. That was a very knowledgeable post. :)

    Now you've got me wondering how something like a diceware password would fare. On the one hand, it IS more random than simple randomizers that require a user-supplied seed and it can be done entirely offline, but it's also selecting from a known bank of words on a website. If nothing is done to augment that, a brute force attack could undo a generated password in no time at all, wouldn't you say?

    Offline
    • 1
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7
    azuvix said:

    ... Why would anyone type a passphrase into a live website that doesn't let you save it locally and unplug your ethernet connection, then delete all the files completely, and clear your browser cache and history?

    EDIT: My bad, didn't save it properly. Still a pretty terrible metric for this kind of thing. :P I have used algorithms that tell me some of my passwords will be cracked by the time of the heat death of the universe, but this seems to say that anything less than 64 characters (which many sites won't accept) is useless and cracked in seconds.

    For the benefit of those who may not be aware of best security practices, NEVER enter a password you intend to use into a live website. Some would argue that the workaround I described is insufficient for total security, and they're right.

    "Why would anyone type a passphrase into a live website..." This is an excellent question!

    Passphrase.Life (PL) is a client-based analyzer, which means it runs in your browser and needs no server. You can hit the page, disconnect from the Internet, and analyze anything without a network connection. It doesn't log or track or record or send any analyzed data over the network. To see for yourself, open Chrome devtools and check out localStorage, cookies, and network connections, as you type. You'll see there is no activity.

    Just as importantly, PL performs keystroke analysis, not word analysis as a whole. It has no way of knowing the actual credentials you are analyzing because it performs real time analysis as you type. (You could keep on typing 20 characters past your actual password and it wouldn't know the difference.)

    All of this means you can safely analyze your real credentials using Passphrase.Life. And isn't that the point?

    Last edited by wmcmeans (20-Jul-2018 23:27:21)
    Offline
    • 0
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7
    azuvix said:

    Excellent overview. That was a very knowledgeable post. :)

    Now you've got me wondering how something like a diceware password would fare. On the one hand, it IS more random than simple randomizers that require a user-supplied seed and it can be done entirely offline, but it's also selecting from a known bank of words on a website. If nothing is done to augment that, a brute force attack could undo a generated password in no time at all, wouldn't you say?

    In 2014, the diceware author himself suggested having no less than 6 words in your randomly-created passphrase. The chart below equates that to a 12-grapheme (character) password created entirely at random:

                grapheme entropy & word list entropy & full unicode entropy
    
                ==============================================================================
                grapheme      entropy   |  diceware    entropy    |    full            entropy
                count                   |  count                  |    unicode
                log2(95)                |  log2(7776)             |    log2(277,021)   
                ------------------------------------------------------------------------------
    
                    8         52.5592          4      51.6992              
                                                                           3           54.2283
                    
                    9         59.1291    
    
                   10         65.6990          5      64.6240
    
                   11         72.2689                                      4           72.3044
    
                   12         78.8388          6      77.5488
    
                   13         85.4087    
    
                   14         91.9786          7      90.4736              5           90.3805
    
                   15         98.5485
    
                                               8     103.3985
                   16        105.1184                         
                          
                                                                           6          108.4566
                   
                   17        111.6883                                                
     
                                               9     116.3233
                   18        118.2582                           
    
                   19        124.8281                                      7          126.5327
                    
    
                                              10     129.2481
                   20        131.3980              
    
                   21        137.9679
    
                                              11     142.1729
                   22        144.5378                                      8          144.6088
    
                ==============================================================================

    Let's just call it 80 bits. It would take a Sagitta Brutalis, at 350 billion guesses per second, roughly 54 millenia, on average, to discover 80-bits (either a passphrase or a password). Honestly, that's probably safe enough for most of us.

    But to keep things in perspective, the Chinese TaihuLight Supercomputer, at  2.94 × 10²⁴ guesses per second, could cut through 80 bits in about 2 months 2 weeks, in theory. It just depends on who your attacker is.

    NOTE: BY the chart you can easily see that once we begin to add full Unicode graphemes into our passwords, they don't have to be nearly as long to be just as secure. Sadly, the INFOSEC Industry is not on par with this yet. (And yes, Passphrase.Life accurately measures passwords containing full Unicode.)

    Last edited by wmcmeans (08-Jul-2018 17:18:49)
    Offline
    • 1
    • Reputation: 12
    • Registered: 01-Apr-2018
    • Posts: 113

    Exceptional. :) Thank you for the further explanation and serious food for thought. It's a subject I can't get enough of!

    Offline
    • 0
    • Reputation: 3
    • Registered: 03-Jul-2018
    • Posts: 7
    azuvix said:

    Exceptional. :) Thank you for the further explanation and serious food for thought. It's a subject I can't get enough of!

    You're most welcome!

    Offline
    • 1